I believe user training is essential but we need to ensure that the amount of malware is diminished, reducing the possibility that a user action may infect the network.

We implemented firewalls with gateway antivirus, intrusion protection, and application control at each site, blocking encrypted key exchange and https proxy, what some ransomware use to fetch the encryption keys.

We also began filtering SMTP traffic using a third party appliance, reducing the amount of email received by close to 80%. All zipped or macro enabled attachments are quarantined on our mail server. Our customers/vendors are made aware of our requirements to limit these type of files, and for the most part, they comply.

The number of infections across the network have reduced dramatically, and all users, including our CEO, now inform the team of suspicious emails rather than opening them.

Seeing many reports of infections of all the variants of CryptoLocker got me thinking about protecting file servers in a different way. It seems that with every virus definition, software restriction...

Yes, we are implementing a layer approached. One of the first technologies implemented was Local Administrator Password Solution by Microsoft. Now this only helps to protect the end point from being compromised. We are still researching and exploring other that will help mitigate user files from being infected. Not sure if this can be completely stopped and as Bruce mentioned training and backup are critical.

Since upgrading my org to Windows 10, the funny benefit of Edge not supporting any add-ons appears that it’s very resilient to the typical Zero-day vulnerabilities from your usual Java and Flash plugins since it possesses neither and only supports the functionality natively via HTML instead. That’s not to say it cannot still happen, but I have not had a ransomware issue on any machine running Windows in a higher version than 7 as of yet.

Granted, I’ve instituted a no Chrome, no Firefox and IE only for printing from the web for the very few individuals who have the need to do so policy, so that greatly reduces our vulnerability footprint beings Edge is both still pretty new, and does not support add-ons and Plugins. I wish I could say most folks could do what I’ve done to mitigate, but I realize my user base is not very web-centric at all with only half a dozen users having any real need to spend significant amounts of time on the internet at all.

I started seeing ransomware on Android devices as long as two years ago when I still worked for the Orange and Black in a big blue box ^.^. It’s been around a long time, but you won’t see too very much of it outside certain brand devices, and folks who root their devices.

We utilise a deny all software restriction policy and whitelist known paths or publishers (paths such as c:\windows or c:\program files). Local users are not administrators. Should something be received via email (a crafty macro word doc that retrieves content) I am hoping this measure prevents execution of said crypto software.

HI Robert- we had a demo on Dark Trace a few months back. Looks like a pretty cool tool. I am always leary though when it seems to “good to be true” from a price perspective. How long have you been using Dark Trace?

I have yet to see a AV product that stop everything.
As everyone has pointed out already, the layered approach is the best.

Coincidentally, a local business was recently hit with ransomware and they were flummoxed because they believed they had one of those “we stop everything, even X” AV solutions. They were without everything, even phones, for an entire week. Obviously there were some other glaring security issues but never buy the “we can do it all” sales pitch.

Hello. We are an MSP, and been dealing with rise in Ransomware incidents in the last 1-2 years. We find it is best to educate the users since they are on the front lines and if educated will not be as likely to click on malicious links. Also recommend to lock down the PCs so no local admin rights, be sure UAC and Windows firewall is on.

At the Gateway we use managed Sonicwall firewalls with full Security Suite… We use Sonicwall Geo-IP filtering to block countries with highest incidents of attacks, we block Botnet command and control servers, and Malware & Proxy URL categories, along with any other categories not needed by the client. Also very good to block “uncatagorized” URL category since most of the phone home (encryption) occurs to recently registered domain names. Another thing that has helped in a BIG way is doing Application filtering and blocking all Proxy and P2P traffic at the application level. This blocks the UDP encrypted key exchange which is what occurs when the ransomware phones home to do the key exchange and encrypt the files. If you block the key key exchange the files will not be encrypted. This has helped significantly and (knock on wood) we have not had another incident of Ransomware for any of our clients since implementing these changes. Hope this helps…

Is anyone under any impression that social engineering was founded by a hacker (data mining) and marketing major (again big ideas on data mining barrage you with ads and find out what you like to steer the proper products to you)? I still have yet to find a good use to out weigh the bad uses.

Only a few weeks after our firm leaped onto LinkedIn at the behest of the marketing dept our upper management was hit with emails which a few I know were from data on LinkedIn and of course able to match a name to a domain to easily find a proper email to send to.

As an SMB, we’re constantly struggling to find funds for even basic tools, so we’re currently using several of the tools incumbent in both Office 365 and in Cloudflare to filter inbound emails that have links or attachments, as well as those coming from bad IPs… and we spend a bunch of time in training. Additionally, we’ve worked out a regular backup process that should allow us to keep the damage minimized should someone “click”.

If you’ve got the funds though, be cautious about anyone claiming immunity with a single tool… they might hit the vast majority of potential entry vectors, but “total immunity” seems like a pretty tall claim in the world of cyber security Just my .02USD

Can you be more specific about country blocks you actually block? Seen some instances where certain sites are not accessible due to enabling GEO-IP filtering. Would you mind sharing your thoughts on what specific countries are safe to block?